CN112787819B - Industrial control safety communication system and communication method - Google Patents
Industrial control safety communication system and communication method Download PDFInfo
- Publication number
- CN112787819B CN112787819B CN202011538312.XA CN202011538312A CN112787819B CN 112787819 B CN112787819 B CN 112787819B CN 202011538312 A CN202011538312 A CN 202011538312A CN 112787819 B CN112787819 B CN 112787819B
- Authority
- CN
- China
- Prior art keywords
- industrial control
- communication
- cloud
- module
- session key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to an industrial control safety communication system and a communication method, comprising a cloud end and at least two control ends; the cloud comprises a certificate server, a cloud security module and an industrial control server; the control end comprises a 5G communication module, a control end safety module and an industrial control module; the industrial control server is connected with the 5G communication module, the control ends are in communication connection through a field bus, and the cloud end safety module and the control end safety module provide password service and a safety storage function; the cryptographic service function comprises random number generation, signature verification operation, encryption and decryption operation, session key generation and hash operation; the industrial control server calls the cloud security module to provide a password service function; the industrial control module calls the control end security module to provide a password service function and a security storage function; the certificate server generates a public key certificate for the cloud end, and writes the public key into the control end security module; the cloud security module stores the corresponding private key, so that the communication between the industrial control modules is safe, reliable, simple and efficient.
Description
Technical Field
The invention belongs to the technical field of industrial control communication, and particularly relates to an industrial control safety communication system and a communication method for ensuring safety encryption communication among a plurality of industrial control modules on a field bus.
Background
A Field bus (Field bus) is a technology that is applied to a production Field and performs bidirectional, serial, and multinode digital communication between Field devices and between a Field device and a control apparatus. The digital communication method mainly solves the problems of digital communication among field devices such as controllers, intelligent instruments and meters, actuating mechanisms and the like in industrial fields and information transmission between the field control devices and a high-level control system. The industrial data communication network is used as the basis of an industrial data communication network, links the production process field level control equipment and the connection between the production process field level control equipment and a higher control management layer, and is not only a base layer network, but also an open type novel full-distributed control system. Because the field bus has a series of outstanding advantages such as simple, reliable, economical and practical, the field bus receives high attention from a plurality of standard groups and computer manufacturers, becomes one of the hotspots of the technical development of the current automation field, and is known as the computer local area network of the automation field. A plurality of industrial control modules can be connected to one field bus, and the industrial control modules can mutually transmit related control and data information conveniently and efficiently.
However, while the fieldbus brings convenience, rapidness and practicability to communication among a plurality of industrial control modules, a considerable potential safety hazard also exists. For example, the identity of the industrial control modules is counterfeited, information transmitted between the industrial control modules is intercepted, tampered, replayed and the like, and the security threats are likely to cause major accidents, serious economic losses or other adverse effects.
As a new generation of mobile communication technology, 5G is used not only for person-to-person communication but also for person-to-object and object-to-object communication, thereby realizing true mutual object interconnection. 5G technically plans three application scenarios: eMBB (enhanced mobile broadband), mMTC (mass machine type communication) and URLLC (ultra-high reliability and ultra-low delay communication) so as to meet the requirements of vertical application on large-bandwidth data transmission, mass network connection and ultra-low delay control.
How to carry out the safe encryption communication among the industrial control modules on the field bus by utilizing the 5G technology of ultra-high reliability and ultra-low time delay communication according to the characteristics and the problems of the mutual communication among the industrial control modules on the field bus is a problem which needs to be solved urgently at present.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide an industrial control safety communication system and a communication method which enable mutual communication among a plurality of industrial control modules on a field bus to be safe, reliable, simple and efficient.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
an industrial control safety communication system comprises a cloud end and at least two control ends connected with the cloud end through a 5G network; the cloud terminal also comprises a certificate server, a cloud terminal security module and an industrial control server which is respectively connected with the certificate server and the cloud terminal security module; the control end comprises a 5G communication module, a control end safety module and an industrial control module which is respectively connected with the 5G communication module and the control end safety module;
the industrial control server of the cloud is in communication connection with the 5G communication module of the control end through a 5G network so as to realize bidirectional communication between the cloud and the control end;
all control ends are in communication connection through a field bus so as to realize mutual communication;
the cloud security module and the control end security module are used for providing a password service function and a secure storage function; the cryptographic service function comprises random number generation, signature verification operation, encryption and decryption operation, session key generation and hash operation;
the industrial control server calls a corresponding password service function provided by the cloud security module; the industrial control module calls a corresponding password service function and a corresponding safe storage function provided by the control end safety module;
the certificate server generates and stores a corresponding public key certificate for the cloud end, and writes a public key in the public key certificate of the cloud end into a control end safety module of the control end in an off-line mode; the cloud security module stores a private key corresponding to a public key in a corresponding public key certificate.
The control ends are in communication connection through a field bus, specifically, industrial control modules of the control ends are in communication connection through the field bus, and the industrial control modules are in communication connection through the field bus respectively.
The control end security module and the cloud end security module are both security intelligent chips, the commercial cryptographic algorithm supported by the security intelligent chips comprises at least one of SM1, SM2 and SM3, and the supported international common cryptographic algorithm comprises at least one of 3DES, AES, RSA, SHA-1 and SHA-256; the secure intelligent chip supports storing a digital certificate; the safety intelligent chip provides a safety storage area and supports the safety storage of important information; the safety intelligent chip supports generation of random numbers; the certificate server maintains a certificate revocation list and provides a certificate revocation list query function.
A method for industrial control secure communication by using the industrial control secure communication system comprises a preparation phase, a group session key negotiation phase and a group secure encryption communication phase;
step 1), the preparation phase specifically comprises the following steps:
at least two control terminals are used as members of session key negotiation of the secure communication group and are unified by CEiWherein i is 1,2, …, n; n is a natural number greater than 1; a control end group session key safety storage area is arranged in a control end safety module of the control end; the control end group session key secure storage area is uniformly used by KZiWherein i is 1,2, …, n; n is a natural number greater than 1; k is a group session key to be negotiated;
the industrial control server at the cloud end generates the following system parameters: g1And G2A cyclic addition group and a cyclic multiplication group with the order of q, and bilinear mapping DL: G1×G1→G2,P∈G1Random selection ofAs the random number of the key agreement, the hash function H: {0,1}*→ G1; the industrial control server discloses system parameters<P,DL,q,G1,G2,H,t>(ii) a WhereinIn order to be a finite field, the method comprises the following steps,the unit cell of (a) is e; IDiIs CEiOf a unique identity, Qi=H(IDi) Is CEiThe public key of (2); IDiAnd QiAre disclosed wherein i ═ 1,2, …, n; n is a natural number greater than 1;
each CEiRandom selectionCalculating si=biQi,siIs CEiThe private key of (1); then, the CEiRandom selectionCalculating Di=cisi(ii) a Then, D is processed in an off-line modeiTransmitting to the industrial control server of the cloud end or by using the public key pair D in the public key certificate of the cloud endiAfter being encrypted, the data are transmitted to the industrial control server at the cloud end through a 5G network; the industrial control server utilizes a private key corresponding to the public key of the cloud end to decrypt, so that D is obtained and storedi(ii) a The industrial control server establishes an IDiAnd DiThe corresponding relationship of (a); each CEiTaking random numbersEach CEiCalculate and save ciMultiplicative inverse element ofWhereinWherein i is 1,2, …, n; n is a natural number greater than 1;
step 2), the group session key negotiation stage specifically includes the following steps:
step 21) of each CEiEach generating Ei=ciQiAnd Vi=siP, then the triplets are separated<IDi,Vi,Ei>Is sent to each CEjWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;
step 22), CEjReceived CEiSending triplet<IDi,Vi,Ei>Thereafter, obtaining and ID from the industrial control serveriCorresponding DiThen, DL (V) is calculated separatelyi,Ei) And DL (Q)iP,Di) And comparing the values of the two to CEiVerifying, if the values are different, the verification fails, and the CEjTo each CEiSending a verification failure identifier VERFAIL by the industrial control server, and terminating the group session key negotiation process; if the two values are the same, the verification is passed, and the next step is continued;
step 23), CEiCalculating Mi=ciP, then sent to each CE separatelyjWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;
step 24), CEjReceived CEiM coming fromiThen, calculate Nji=gjMiThen N is addedjiIs sent to CEi;
Step 25), CEiReceived CEjN coming fromjiThen, calculateCEiCalculating ri=giP; then, CEiComputingWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1,each CEiWill KiStored in KZi(ii) a Group session key K ═ Ki;
Step 3), the group security encryption communication stage specifically comprises the following steps:
after successful negotiation of the group session key K, each CEiWherein i is 1,2, …, n; n is a natural number greater than 1, group secure encrypted communication can be performed using the group session key K.
The invention has the following positive effects:
according to the industrial control safety communication system and the communication method provided by the invention, a safe and efficient group session key negotiation protocol is provided through a public key cryptosystem based on identity, a group session key for safety communication is established among all industrial control modules, and the problem of mutual safety communication among all industrial control modules on a field bus is solved; in the group session key agreement process, system parameters required by the agreement are generated by a cloud through a 5G network with ultra-high reliability and ultra-low time delay communication, required related data are provided for all participants, and all the participants are assisted to solve the problem of identity authentication in the group session key agreement process.
In summary, according to the characteristics of mutual communication between 5G and a plurality of industrial control modules on a field bus, the industrial control secure communication system and the communication method provided by the present invention implement identity authentication and group secure encryption communication between the industrial control modules, effectively solve the problem of insufficient security in the prior art, and enable the identity authentication and group secure encryption communication between the industrial control modules on the field bus to be safe, reliable, simple and efficient.
Drawings
FIG. 1 is a block diagram of an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The embodiment of the invention provides an industrial control secure communication method which can be applied to the environment shown in figure 1 and comprises a cloud end and at least two control ends; the cloud comprises a certificate server, a cloud security module and an industrial control server which is respectively connected with the certificate server and the cloud security module; the control end comprises a 5G communication module, a control end safety module and an industrial control module which is respectively connected with the 5G communication module and the control end safety module; the industrial control server of the cloud end is in communication connection with the 5G communication module of the control end through a 5G network, so that bidirectional communication between the cloud end and the control end is realized;
the at least two control ends are in communication connection through a field bus so as to realize mutual communication; the cloud security module and the control end security module are used for providing a password service function and a secure storage function; the cryptographic service function comprises random number generation, signature verification operation, encryption and decryption operation, session key generation and hash operation; the industrial control server calls a corresponding password service function provided by the cloud security module; the industrial control module calls a corresponding password service function and a corresponding safe storage function provided by the control end safety module;
the certificate server generates and stores a corresponding public key certificate for the cloud end, and writes a public key in the public key certificate of the cloud end into a control end safety module of the control end in an off-line mode; and the cloud security module of the cloud stores a private key corresponding to the public key in the corresponding public key certificate.
The industrial control secure communication method comprises a preparation stage, a group session key negotiation stage and a group secure encryption communication stage;
the preparation stage specifically comprises the following steps:
step 1), the at least two control terminals are used as members of the session key negotiation of the secure communication group and are uniformly used by the CEiWherein i is 1,2, …, n; n is a natural number greater than 1; a control end group session key safety storage area is arranged in a control end safety module of the control end; the control end group session key secure storage area is uniformly used by KZiWherein i is 1,2, …, n; n is a natural number greater than 1; k is a group session key to be negotiated;
the industrial control server at the cloud generates the following system parameters: g1And G2A cyclic addition group and a cyclic multiplication group with the order of q, and bilinear mapping DL: G1×G1→G2,P∈G1Random selection ofAs the random number of the key agreement, the hash function H: {0,1}*→ G1; the industrial control server discloses system parameters<P,DL,q,G1,G2,H,t>(ii) a WhereinIn order to be a finite field, the method comprises the following steps,the unit cell of (a) is e; IDiIs CEiOf a unique identity, Qi=H(IDi) Is CEiThe public key of (2); IDiAnd QiAre disclosed wherein i ═ 1,2, …, n; n is a natural number greater than 1;
the disclosure as described herein refers to each CEiThe relevant information can be obtained, wherein i is 1,2, …, n; n is a natural number greater than 1;
each CEiRandom selectionCalculating si=biQi,siIs CEiThe private key of (1); then, the CEiRandom selectionCalculating Di=cisi(ii) a Then, D is processed in an off-line modeiThe industrial control server transmitted to the cloud end or the public key pair D in the public key certificate of the cloud end is usediThe encrypted data is transmitted to the industrial control server at the cloud end through a 5G network; the industrial control server decrypts the data by using a private key corresponding to the public key of the cloud end to obtain and store the data Di(ii) a The industrial control server establishes an IDiAnd DiThe corresponding relationship of (a); each CEiTaking random numbersEach CEiCalculate and save ciMultiplicative inverse element ofWhereinWherein i is 1,2, …, n; n is a natural number greater than 1;
step 2), the group session key negotiation stage specifically includes the following steps:
step 21, each CEiEach generating Ei=ciQiAnd Vi=siP, then the triplets are separated<IDi,Vi,Ei>Is sent to each CEjWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;
step 22, CEjReceived CEiSending triplet<IDi,Vi,Ei>Thereafter, obtaining and ID from the industrial control serveriCorresponding DiThen, DL (V) is calculated separatelyi,Ei) And DL (Q)iP,Di) And comparing the values of the two to CEiVerification was performed, DL (V) under normal conditionsi,Ei)=DL(siP,ciQi)=DL(biQiP,ciQi)=DL(QiP,Qi)bici;DL(QiP,Di)=DL(QiP,cisi)=DL(QiP,cibiQi)=DL(QiP,Qi)bici;CEjAfter calculating the two values, if the values are different, the verification fails, and the CEjTo each CEiSending a verification failure identifier VERFAIL by the industrial control server, and terminating the group session key negotiation process; if the two values are the same, the verification is passed, and the next step is continued;
step 23, CEiCalculating Mi=ciP, then sent to each CE separatelyjWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;
step 24, CEjReceived CEiM coming fromiThen, calculate Nji=gjMiThen N is addedjiIs sent to CEi;
Step 25, CEiReceived CEjN coming fromjiThen, calculateCEiCalculating ri=giP; then, CEiComputingWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1,each CEiWill KiStored in KZi(ii) a Group session key K ═ Ki;
Step 3), the group security encryption communication stage specifically comprises the following steps:
after successful negotiation of the group session key K, each CEiWherein i is 1,2, …, n; n is a natural number greater than 1, group secure encrypted communication can be performed using the group session key K.
In this embodiment, the cloud invoking the password service function specifically means that the industrial control server of the cloud invokes a corresponding password service function provided by a cloud security module of the cloud;
the cloud end carries out bidirectional communication with the control end through a 5G network, specifically, the industrial control server of the cloud end carries out bidirectional communication with the industrial control module of the control end through the 5G communication module through the 5G network, and the control end calls the password service function and the safe storage function, specifically, the industrial control module of the control end calls the corresponding password service function and the safe storage function provided by the control end safety module of the control end;
the control ends are in communication connection through a field bus, in particular to the industrial control modules of the control ends are in communication connection through the field bus; the at least two control ends are communicated with each other, specifically, the industrial control modules of the control ends are communicated with each other through communication connection of field buses respectively;
the control terminal of the certificate server generates and stores a corresponding public key certificate; the control end security module of the control end stores a private key corresponding to a public key in a corresponding public key certificate;
the control end security module and the cloud end security module are both security intelligent chips, the commercial cryptographic algorithm supported by the security intelligent chips comprises at least one of SM1, SM2 and SM3, and the supported international common cryptographic algorithm comprises at least one of 3DES, AES, RSA, SHA-1 and SHA-256; the secure intelligent chip supports storing a digital certificate; the safety intelligent chip provides a safety storage area and supports the safety storage of important information; the safety intelligent chip supports generation of random numbers; the certificate server maintains a certificate revocation list and provides a certificate revocation list query function.
The invention negotiates a group session key for communication encryption by adopting a public key cryptosystem based on identity among all industrial control modules, and then uses the group session key to encrypt and protect communication contents when all parties communicate; and in the group session key negotiation process, the authentication and negotiation are mutually completed in the industrial control modules. In the authentication and negotiation process, bilinear pairings are used. Bilinear pairs are defined as follows:
let G1For cyclic additive groups generated from p, the order is q, G2Are cyclic multiplications of the same order q, a bilinear pair being a mapping DL that satisfies the following property G1×G1→G2:
1) Bilinear: for all P, Q ∈ G1,DL(aP,bQ)=e(P,Q)ab;
2) Non-degradability: presence P, Q ∈ G1Let e (P, Q) not equal to 1;
3) calculability: for all P, Q ∈ G1There is an efficient algorithm to compute DL (P, Q).
The identity in the identity-based public key cryptosystem refers to a string of meaningful numbers related to the user, such as an identification number, a mailbox address, and the like. In the encryption process, the encryptor uses the string of numbers representing the identity of the receiver as a public key to encrypt the content, the encryptor does not need to inquire the public key of the receiver to a trusted third party any more, great convenience is provided for management of public key information, and the receiver uses a private key corresponding to the identity to decrypt the content. In 1984, Shamir proposed the idea of an Identity-Based public key Cryptosystem (Identity-Based cryptography), and constructed an Identity-Based Signature system (IBS). That is, the public key in the signature system is the identity of the user, and when verifying the signature, the verifier verifies the signature using the identity of the signer as the public key.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention, and these are within the scope of the present invention. Therefore, the protection scope of the present invention should be subject to the appended claims.
Claims (4)
1. An industrial control safety communication system comprises a cloud end and at least two control ends connected with the cloud end through a 5G network; the cloud terminal also comprises a certificate server, a cloud terminal security module and an industrial control server which is respectively connected with the certificate server and the cloud terminal security module; the control end comprises a 5G communication module, a control end safety module and an industrial control module which is respectively connected with the 5G communication module and the control end safety module; the method is characterized in that:
the industrial control server of the cloud is in communication connection with the 5G communication module of the control end through a 5G network so as to realize bidirectional communication between the cloud and the control end;
all control ends are in communication connection through a field bus so as to realize mutual communication;
the cloud security module and the control end security module are used for providing a password service function and a secure storage function; the cryptographic service function comprises random number generation, signature verification operation, encryption and decryption operation, session key generation and hash operation;
the industrial control server calls a corresponding password service function provided by the cloud security module; the industrial control module calls a corresponding password service function and a corresponding safe storage function provided by the control end safety module;
the certificate server generates and stores a corresponding public key certificate for the cloud end, and writes a public key in the public key certificate of the cloud end into a control end safety module of the control end in an off-line mode; the cloud security module stores a private key corresponding to a public key in a corresponding public key certificate;
the industrial control secure communication system comprises a preparation stage, a group session key negotiation stage and a group secure encryption communication stage;
the preparation stage specifically comprises the following steps:
at least two control terminals are used as session key agreement of secure communication groupMembers of the business, unifying CEsiWherein i is 1,2, …, n; n is a natural number greater than 1; a control end group session key safety storage area is arranged in a control end safety module of the control end; the control end group session key secure storage area is uniformly used by KZiWherein i is 1,2, …, n; n is a natural number greater than 1; k is a group session key to be negotiated;
the industrial control server at the cloud end generates the following system parameters: g1And G2A cyclic addition group and a cyclic multiplication group with the order of q, and bilinear mapping DL: G1×G1→G2,P∈G1Random selection ofAs the random number of the key agreement, the hash function H: {0,1}*→ G1; the industrial control server discloses system parameters<P,DL,q,G1,G2,H,t>(ii) a WhereinIn order to be a finite field, the method comprises the following steps,the unit cell of (a) is e; IDiIs CEiOf a unique identity, Qi=H(IDi) Is CEiThe public key of (2); IDiAnd QiAre disclosed wherein i ═ 1,2, …, n; n is a natural number greater than 1;
each CEiRandom selectionCalculating si=biQi,siIs CEiThe private key of (1); then, the CEiRandom selectionCalculating Di=cisi(ii) a Then, in an off-line mannerWill DiTransmitting to the industrial control server of the cloud end or by using the public key pair D in the public key certificate of the cloud endiAfter being encrypted, the data are transmitted to the industrial control server at the cloud end through a 5G network; the industrial control server utilizes a private key corresponding to the public key of the cloud end to decrypt, so that D is obtained and storedi(ii) a The industrial control server establishes an IDiAnd DiThe corresponding relationship of (a); each CEiTaking random numbersEach CEiCalculate and save ciMultiplicative inverse element ofWhereinWherein i is 1,2, …, n; n is a natural number greater than 1;
the group session key negotiation stage specifically includes the following steps:
each CEiEach generating Ei=ciQiAnd Vi=siP, then the triplets are separated<IDi,Vi,Ei>Is sent to each CEjWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;
CEjreceived CEiSending triplet<IDi,Vi,Ei>Thereafter, obtaining and ID from the industrial control serveriCorresponding DiThen, DL (V) is calculated separatelyi,Ei) And DL (Q)iP,Di) And comparing the values of the two to CEiVerifying, if the values are different, the verification fails, and the CEjTo each CEiSending a verification failure identifier VERFAIL by the industrial control server, and terminating the group session key negotiation process; if the two values are the same, the verification is passed, and the next step is continued;
CEicalculating Mi=ciP, then sent to each CE separatelyjWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;
CEjreceived CEiM coming fromiThen, calculate Nji=gjMiThen N is addedjiIs sent to CEi;
CEiReceived CEjN coming fromjiThen, calculateCEiCalculating ri=giP; then, CEiComputingWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1,each CEiWill KiStored in KZi(ii) a Group session key K ═ Ki;
The group security encryption communication stage specifically comprises the following steps:
after successful negotiation of the group session key K, each CEiWherein i is 1,2, …, n; n is a natural number greater than 1, group secure encrypted communication can be performed using the group session key K.
2. An industrial control security communication system according to claim 1, wherein: the control ends are in communication connection through a field bus, specifically, industrial control modules of the control ends are in communication connection through the field bus, and the industrial control modules are in communication connection through the field bus respectively.
3. An industrial control security communication system according to claim 1, wherein: the control end security module and the cloud end security module are both security intelligent chips, the commercial cryptographic algorithm supported by the security intelligent chips comprises at least one of SM1, SM2 and SM3, and the supported international common cryptographic algorithm comprises at least one of 3DES, AES, RSA, SHA-1 and SHA-256; the secure intelligent chip supports storing a digital certificate; the safety intelligent chip provides a safety storage area and supports the safety storage of important information; the safety intelligent chip supports generation of random numbers; the certificate server maintains a certificate revocation list and provides a certificate revocation list query function.
4. A method for industrial control secure communication using the industrial control secure communication system according to any one of claims 1 to 3, wherein: the industrial control secure communication method comprises a preparation stage, a group session key negotiation stage and a group secure encryption communication stage;
step 1), the preparation phase specifically comprises the following steps:
at least two control terminals are used as members of session key negotiation of the secure communication group and are unified by CEiWherein i is 1,2, …, n; n is a natural number greater than 1; a control end group session key safety storage area is arranged in a control end safety module of the control end; the control end group session key secure storage area is uniformly used by KZiWherein i is 1,2, …, n; n is a natural number greater than 1; k is a group session key to be negotiated;
the industrial control server at the cloud end generates the following system parameters: g1And G2A cyclic addition group and a cyclic multiplication group with the order of q, and bilinear mapping DL: G1×G1→G2,P∈G1Random selection ofAs the random number of the key agreement, the hash function H: {0,1}*→ G1; the industrial control server discloses system parameters<P,DL,q,G1,G2,H,t>(ii) a WhereinIn order to be a finite field, the method comprises the following steps,the unit cell of (a) is e; IDiIs CEiOf a unique identity, Qi=H(IDi) Is CEiThe public key of (2); IDiAnd QiAre disclosed wherein i ═ 1,2, …, n; n is a natural number greater than 1;
each CEiRandom selectionCalculating si=biQi,siIs CEiThe private key of (1); then, the CEiRandom selectionCalculating Di=cisi(ii) a Then, D is processed in an off-line modeiTransmitting to the industrial control server of the cloud end or by using the public key pair D in the public key certificate of the cloud endiAfter being encrypted, the data are transmitted to the industrial control server at the cloud end through a 5G network; the industrial control server utilizes a private key corresponding to the public key of the cloud end to decrypt, so that D is obtained and storedi(ii) a The industrial control server establishes an IDiAnd DiThe corresponding relationship of (a); each CEiTaking random numbersEach CEiCalculate and save ciMultiplicative inverse element ofWhereinWherein i is 1,2, …, n; n is a natural number greater than 1;
step 2), the group session key negotiation stage specifically includes the following steps:
step 21) of each CEiEach generating Ei=ciQiAnd Vi=siP, then the triplets are separated<IDi,Vi,Ei>Is sent to each CEjWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;
step 22), CEjReceived CEiSending triplet<IDi,Vi,Ei>Thereafter, obtaining and ID from the industrial control serveriCorresponding DiThen, DL (V) is calculated separatelyi,Ei) And DL (Q)iP,Di) And comparing the values of the two to CEiVerifying, if the values are different, the verification fails, and the CEjTo each CEiSending a verification failure identifier VERFAIL by the industrial control server, and terminating the group session key negotiation process; if the two values are the same, the verification is passed, and the next step is continued;
step 23), CEiCalculating Mi=ciP, then sent to each CE separatelyjWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1;
step 24), CEjReceived CEiM coming fromiThen, calculate Nji=gjMiThen N is addedjiIs sent to CEi;
Step 25), CEiReceived CEjN coming fromjiThen, calculateCEiCalculating ri=giP; then, CEiComputingWherein i is 1,2, …, n; j is 1,2, …, n, j is not equal to i, n is a natural number greater than 1,each CEiWill KiStored in KZi(ii) a Group session key K ═ Ki;
Step 3), the group security encryption communication stage specifically comprises the following steps:
after successful negotiation of the group session key K, each CEiWherein i is 1,2, …, n; n is a natural number greater than 1, group secure encrypted communication can be performed using the group session key K.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011538312.XA CN112787819B (en) | 2020-12-23 | 2020-12-23 | Industrial control safety communication system and communication method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011538312.XA CN112787819B (en) | 2020-12-23 | 2020-12-23 | Industrial control safety communication system and communication method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112787819A CN112787819A (en) | 2021-05-11 |
CN112787819B true CN112787819B (en) | 2022-03-15 |
Family
ID=75751945
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011538312.XA Active CN112787819B (en) | 2020-12-23 | 2020-12-23 | Industrial control safety communication system and communication method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112787819B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115052050A (en) * | 2022-04-26 | 2022-09-13 | 深圳市云伽智能技术有限公司 | Session negotiation method, device and controller based on ICAP |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8782774B1 (en) * | 2013-03-07 | 2014-07-15 | Cloudflare, Inc. | Secure session capability using public-key cryptography without access to the private key |
CN106549753A (en) * | 2016-10-18 | 2017-03-29 | 电子科技大学 | The encipherment scheme that a kind of support ciphertext of identity-based compares |
CN107659395A (en) * | 2017-10-30 | 2018-02-02 | 武汉大学 | The distributed authentication method and system of identity-based under a kind of environment of multi-server |
CN108390851A (en) * | 2018-01-05 | 2018-08-10 | 郑州信大捷安信息技术股份有限公司 | A kind of secure remote control system and method for industrial equipment |
CN109040149A (en) * | 2018-11-02 | 2018-12-18 | 美的集团股份有限公司 | Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system |
CN112040483A (en) * | 2020-06-04 | 2020-12-04 | 南京南瑞信息通信科技有限公司 | Lightweight efficient identity authentication method and system |
CN112055071A (en) * | 2020-08-31 | 2020-12-08 | 郑州信大捷安信息技术股份有限公司 | Industrial control safety communication system and method based on 5G |
CN112055330A (en) * | 2020-08-31 | 2020-12-08 | 郑州信大捷安信息技术股份有限公司 | V2X Internet of vehicles safety communication system and method based on 5G |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10757569B2 (en) * | 2016-08-05 | 2020-08-25 | Nokia Technologies Oy | Privacy preserving authentication and key agreement protocol for apparatus-to-apparatus communication |
-
2020
- 2020-12-23 CN CN202011538312.XA patent/CN112787819B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8782774B1 (en) * | 2013-03-07 | 2014-07-15 | Cloudflare, Inc. | Secure session capability using public-key cryptography without access to the private key |
CN106549753A (en) * | 2016-10-18 | 2017-03-29 | 电子科技大学 | The encipherment scheme that a kind of support ciphertext of identity-based compares |
CN107659395A (en) * | 2017-10-30 | 2018-02-02 | 武汉大学 | The distributed authentication method and system of identity-based under a kind of environment of multi-server |
CN108390851A (en) * | 2018-01-05 | 2018-08-10 | 郑州信大捷安信息技术股份有限公司 | A kind of secure remote control system and method for industrial equipment |
CN109040149A (en) * | 2018-11-02 | 2018-12-18 | 美的集团股份有限公司 | Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system |
CN112040483A (en) * | 2020-06-04 | 2020-12-04 | 南京南瑞信息通信科技有限公司 | Lightweight efficient identity authentication method and system |
CN112055071A (en) * | 2020-08-31 | 2020-12-08 | 郑州信大捷安信息技术股份有限公司 | Industrial control safety communication system and method based on 5G |
CN112055330A (en) * | 2020-08-31 | 2020-12-08 | 郑州信大捷安信息技术股份有限公司 | V2X Internet of vehicles safety communication system and method based on 5G |
Non-Patent Citations (2)
Title |
---|
"基于密码技术的网络安全通信协议研究";袁巍;《吉林大学博士学位论文》;20130815;全文 * |
"基于身份的认证协议的理论及应用研究";曹雪菲;《西安电子科技大学博士学位论文》;20090715;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN112787819A (en) | 2021-05-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111740828B (en) | Key generation method, device and equipment and encryption and decryption method | |
CN109088870B (en) | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform | |
CN102318258B (en) | The subjective entropy of identity-based | |
US11870891B2 (en) | Certificateless public key encryption using pairings | |
CN110120939B (en) | Encryption method and system capable of repudiation authentication based on heterogeneous system | |
CN110113150B (en) | Encryption method and system based on non-certificate environment and capable of repudiation authentication | |
CN110535626B (en) | Secret communication method and system for identity-based quantum communication service station | |
CN105610773A (en) | Communication encryption method of electric energy meter remote meter reading | |
CN111264045B (en) | Interactive system and method based on heterogeneous identity | |
CN109194474A (en) | A kind of data transmission method and device | |
CN112804356B (en) | Block chain-based networking equipment supervision authentication method and system | |
WO2018161862A1 (en) | Private key generation method, device and system | |
CN107249002B (en) | Method, system and device for improving safety of intelligent electric energy meter | |
CN112804659B (en) | Internet of vehicles safety communication method | |
CN112787819B (en) | Industrial control safety communication system and communication method | |
CN111490874B (en) | Distribution network safety protection method, system, device and storage medium | |
US10333703B2 (en) | Key exchange process | |
CN116599659B (en) | Certificate-free identity authentication and key negotiation method and system | |
US20220038267A1 (en) | Methods and devices for secured identity-based encryption systems with two trusted centers | |
CN112055071B (en) | Industrial control safety communication system and method based on 5G | |
CN111953489A (en) | SM2 algorithm-based key exchange device and method for collecting service of power generation unit | |
CN113676330B (en) | Digital certificate application system and method based on secondary secret key | |
CN115694922A (en) | File transmission encryption method and equipment under domestic CPU and OS | |
CN110365482B (en) | Data communication method and device | |
CN115955302B (en) | National secret safety communication method based on collaborative signature |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |